Vendor Security Controls
Last Updated: July 1, 2023
These Security Controls are implemented and maintained by Vendor in connection with Vendor’s Agreement with a Qurate Company. Vendor represents, warrants, and covenants that for so long as Vendor or any agent of Vendor is using, accessing, or otherwise Processing Personal Data or using or accessing Systems:
- Vendor has implemented and will maintain, physical, administrative, technical and organizational measures that comply with Data Protection Law and that are appropriate to the nature of the Personal Data being Processed by Vendor, any risks associated with such Processing, having regard to the state of the art and the cost of implementation of such measures. The measures to be implemented and maintained by Vendor under the previous sentence include without limitation measures that (a) protect against unauthorized access, unauthorized acquisition, unauthorized destruction, unauthorized deletion, unauthorized disclosure, unauthorized use, unauthorized modification, loss, or misappropriation of Personal Data or other compromise of the security, confidentiality, integrity, or availability of Personal Data including without limitation where the Processing involves the transmission of data over a network; (b) ensure that Personal Data is logically isolated and separated from other information or databases stored, handled or Processed by Vendor for itself or third parties; (c) ensure that copies of Personal Data are not made except to the extent necessary to provide the Services to Qurate Company; and (d) ensure that any person or entity Processing Personal Data by or on behalf of Vendor are (i) provided access to the minimum amount of Personal Data that is needed to perform the Services; (ii) trained on an appropriate recurring schedule in applicable personal data security and privacy safeguards; and (iii) disciplined by Vendor through appropriate measures for violations of such safeguards;
- Vendor has implemented, and will maintain and comply with, a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Personal Data and designed to protect such Personal Data and Systems from (a) unauthorized access, unauthorized acquisition, unauthorized destruction, unauthorized deletion, unauthorized disclosure, unauthorized use, unauthorized modification, loss, or misappropriation of Personal Data or Systems; and (b) any anticipated threats or hazards to the security or integrity of Personal Data and Systems;
- Vendor has adopted, implemented, and shall maintain reasonable policies and standards related to security of Personal Data and Systems;
- Vendor has assigned responsibility for information security management and data protection with respect to Personal Data and Systems to a lead resource and other dedicated resources at Vendor, and Vendor will provide the contact details of Vendor's lead resource if requested by Qurate Company;
- Vendor is devoting, and will continue to devote, adequate personnel and other resources to information security;
- Vendor carries out background and verification checks on employees and contractors who will have access to Personal Data and Systems to the extent permitted under applicable law.
- Vendor requires employees, vendors and others with access to Personal Data and Systems by or through Vendor to enter into written confidentiality agreements;
- Vendor conducts annual training to make employees and others with access to Personal Data and Systems aware of information security risks and to enhance compliance with Vendor’s policies and standards related to data protection, as well as requiring such employees and others to keep all such data and systems secure and confidential during their assignment and thereafter. Vendor will provide details of such training to Qurate Company upon request;
- Vendor has adopted disciplinary procedures that are applied by Vendor if there is misuse of Personal Data or Systems by Vendor's employees or others with access to Personal Data or Systems;
- With respect to any person or entity other than Vendor that Processes Personal Data on behalf of Vendor (for purposes of these Security Controls, "Sub-Processors"):
- Vendor will ensure that Sub-Processors are required to implement security controls no less stringent than those set forth herein, are subject to a legally recognized transfer mechanism if required by applicable law where Personal Data is Processed in a country outside of the country where the Personal Data originates, and are bound by written agreements reflecting the same;
- Vendor shall provide Qurate Company a list of Vendor’s current Sub-Processors, which shall be updated by Vendor when new Sub-Processors are engaged. Vendor will provide Qurate Company with a mechanism to obtain notification of such updates and may also directly notify Qurate Company in the event additional Sub-Processors may be required;
- Vendor prevents unauthorized access to Systems and Personal Data through the use of physical and logical entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption, pseudonymization and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with its policies and standards related to data protection on an ongoing basis. Without limiting the foregoing, Vendor has implemented and complies with the following with respect to Personal Data and Systems:
- Physical access control measures to prevent unauthorized access to data processing systems such as entry controls including the legitimization of authorized persons (e.g., access ID cards, card readers, alarm systems, burglar alarms, video surveillance and exterior security);
- Denial-of-use control measures to prevent unauthorized use of data protection systems by technical (keyword/password protection) and organizational measures concerning user identification and authentication (e.g., automatically enforced password complexity, automatic disabling and change requirements, firewalls);
- Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to permit access to data processing systems to only persons with appropriate access rights and to further limit such access to the only data needed by persons to perform services for Qurate Company and its Affiliates;
- Data transmission control measures to restrict data from being read, copied, modified or removed without authorization during electronic transmission, transport or storage on data media, and transfer and receipt records. In particular, Vendor’s information security program shall be designed to facilitate the encryption "in transit" of data over public networks to protect the security of the transmission;
- Penetration tests conducted on Vendor’s systems and applications;
- When subcontracting Services involving the Processing of sensitive data, Vendor shall execute formal agreements with each subcontractor that requires the subcontractor to implement security controls no less stringent than those set forth here;
- Measures to protect data from accidental destruction or loss including without limitation: data backup, retention and secure destruction policies, secure offsite storage of data sufficient for disaster recovery, uninterrupted power supply, and disaster recovery and emergency programs;
- Measures to ensure that information collected for different purposes can be Processed separately including without limitation adequate logical separation of data (e.g., “internal client capability”/purpose limitation, separation of functions as production and test);
- Return or secure destruction of the data as set forth in the Addendum.
- Copies of Personal Data are not made except to the extent necessary to provide Services to Qurate Company and its Affiliates;
- Vendor has implemented appropriate technical and organizational measures to ensure availability and resilience of Processing systems and services and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
- Vendor will implement and maintain the following controls for Accounts. With respect to this Section 12, "Accounts" means Vendor's accounts and accounts or applications Vendor provides to its customers.
- Vendor shall implement and maintain password authentication and other controls that meet either (A) or (B) below:
- Password authentication will comply with Security Assertion Markup Language 2.0 (or such other standard that Qurate Company may agree to in writing) and will require multifactor authentication.
- (1) passwords are forced to change at least every 90 days; (2) passwords that are changed may not re-use the last 5 passwords; and (3) passwords must have at least an 8 character length and have at least three of the following: lowercase letter, upper case letter, numerical digit, special character
- Any Account must be logged out, and require a new login, after 15 minutes of inactivity
- For any Account that can be used to access Personal Data, Vendor must maintain logs of activity (including logs of Personal Data accessed, copied, changed, or moved) for at least 90 days.
- Vendor will use tools to detect, block, and notify QVC of repeated attempts to access Accounts (e.g., credential stuffing/account takeover activity), attempts to access Accounts from locations outside the United States, Japan, United Kingdom or the European Economic Area, and other attempts to access Accounts in a fraudulent or malicious manner.
- Vendor shall implement and maintain password authentication and other controls that meet either (A) or (B) below:
- These Security Controls may be updated from time to time by Qurate Company, and the “Last Updated” date at the beginning of these Security Controls will indicate the date on which the Security Controls were last updated.
- Definitions.
- "Affiliate" means with respect to QVC, Inc. any other present or future entity that directly or indirectly controls, is controlled by, or is under common control with QVC, Inc. For purposes of the preceding sentence, "control", "controlled", and "controls" with respect to an entity means (a) direct or indirect ownership of at least 35% of such entity’s capital stock or other voting interests or (b) the ability to direct the senior management of such entity.
- “Agreement” means any purchase order, contract, or other terms that incorporate these Security Controls.
- “Data Protection Law” means any present or future federal, state, territorial, or local law or regulation that relates to data privacy, data security, or the use or other processing of Personal Data.
- “Personal Data“ means information provided to, or Processed by, Vendor or Vendor’s Subcontractors by or on behalf of Qurate Company and its Affiliates if such information identifies, relates to, describes, is capable of being associated with, or could be directly or indirectly linked to a natural person.
- “Processing” means any creation, access, modification, disclosure, transfer, storage, deletion, destruction, or other use of Personal Data.
- “Process" and “Processed” shall be construed in accordance with the preceding part of this definition.
- “Qurate Company” means QVC, Inc. or the Affiliate of QVC, Inc. that is a party to the Agreement with Vendor.
- “Services” means goods, services, technology or other products provided by Vendor under the Agreement.
- "Systems" means applications and other systems (1) used by, or for the benefit of, the Qurate Company or its Affiliates; or (2) that are used by Vendor or Vendor’s agents to access the applications and systems of Qurate Company or its Affiliates.
- “Vendor” means the company that is a party to the Agreement with Qurate Company.